Ukraine police raid accounting software company as part of NotPetya investigation
Police in the Ukraine have seized the servers of Intellect Service, a company supplying accounting software, as part of their investigation into the NotPetya ransomware attack.
A malicious update to Intellect's MeDoc accounting package is believed to have been responsible for some of the initial NotPetya infections.
The head of Ukraine's cyber police, Serhiy Demedyuk, says the software was subject to a supply chain attack. This would have involved gaining access to the source code in order to add a back door which gives access to a remote access Trojan.
A police spokesman says that MeDoc was preparing to send out a new update and that they had carried out the action, "immediately stop the uncontrolled proliferation." The fast response should have prevented further damage from occurring.
MeDoc's software is used by around 80 percent of businesses in the Ukraine. The police have advised users to disconnect any PCs running the software from the internet and to change their passwords and digital signatures.
The company's staff are said to be cooperating fully with the investigation. There is some suggestion that Intellect Service ignored repeated warnings that it needed to improve its security in in the run up to the attack, however, the company's management has denied this.
"With police investigations increasingly pointing towards the MeDoc accounting software being used as a vector for the NotPetya attack, it is becoming clearer than ever that organisations need to step up protection to prevent their software from being weaponized," says Mark Noctor, VP EMEA at application protection specialist Arxan Technologies. "While it is unclear how the software was accessed, the attacker would have almost certainly have manipulated the application's binary code to subvert it. Almost any application could potentially be weaponized in this way, so organisations need to ensure they deploy advanced techniques to protect to prevent their products being used to attack their customers."
The police raid on Intellect Service follows $10,000 worth if Bitcoin being withdrawn overnight from the wallet setup in connection with the malware. Given the scale of the attack this must be seen as a rather disappointing haul.